Release Notes for Management Center for PIX Firewalls 1.1 on Windows 2000

These release notes are for use with the CiscoWorks Management Center for PIXFirewalls 1.1 (PIXMC). PIXMC is a web-based interface that enables you to configure new PIXFirewalls and Firewall Services Modules (FWSM) and import configurations from existing firewalls. You can configure firewall device settings, access rules, and translations rules, and deploy these configurations to your network. PIXMC also provides a powerful tool for controlling changes made to your network, showing configuration and status changes.

These release notes include:

• New Features

• PIXMC 1.1 Documentation

• Additional Information Online

• Resolved Problems in PIXMC 1.1

• Known Problems

• Obtaining Documentation

• Obtaining Technical Assistance

New Features

Release 1.1 contains the following new features:

•Support for Firewall Service Module (FWSM) 1.1.1 and 1.1.2.

•Separate access rules tables.

•More comprehensive GUI pages and instructions

•Workflow enhancements to better facilitate activity management.

•New home page that describes how to use each tab.

•Detection and warning when you configure features not supported in the selected version of the tool.

•Improved support for PIXFirewall 6.2 including:

–Additional fixup command support.

–DHCP options 66 and 150.

–Turbo ACL.

–LAN-based failover.

–PPPoE.

PIX MC 1.1 Documentation

Note Although every effort has been made to validate the accuracy of the information in the printed and electronic documentation, you should also review the PIXMC 1.1 documentation on Cisco.com for any updates.

Use these publications to learn how to install and use PIXMC 1.1:

•Installing Management Center for PIXFirewalls 1.1 on Windows 2000 (DOC-7815400=)—describes how to install and configure PIXMC. Available by order and on Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/pix1_1/index.htm.

•Using Management Center for PIXFirewalls 1.1 (DOC-7815399=)—describes PIXMC, including how to configure and use the tool. Available by order and on Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/pix1_1/index.htm.

•PIXMC online help—contains all of the information available in Using Management Center for PIXFirewalls. This ensures you have complete information even if you do not have the manual readily available while using PIXMC.

Additional Information Online

Supported Devices, OS Versions and Commands for Management Center for
PIXFirewalls 1.1 (OL-3792-01) lists devices supported by PIXMC 1.1 and describes support available for PIXFirewalls CLI Commands. It is available on Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/pix1_1/index.htm.

The Release Notes for CiscoWorks Common Services 1.0 on Windows 2000 contains information on issues that affect PIXMC. It is available on Cisco.com at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html.

Resolved Problems in PIX MC 1.1

The following table lists problems that were resolved in this release.

Table 1 Resolved Problems
Bug ID	Summary
CSCdw68628	PIXMC doesn't ensure config files deployed to secure directory.
CSCdx07775	No notification of changes to configurations that are not written to Flash memory.
CSCdx31717	Duplicate job names are allowed.
CSCdx68253	Importing devices with the same names is problematic.
CSCdx78382	Editing prev created job can chng devices selected for deployment.
CSCdx88576	CW2K Server desktop login doesn't support multiple PIXMCs.
CSCdy06058	Editing Dynamic Translation rule might change selected addr pool.
CSCdy06257	Two devices with the same name are allowed in a group.
CSCdy25050	IP fragment page fails to notify user of out-of-bounds values.
CSCdy32575	Cant import config file from dir if filename contains a dot(.).
CSCdy42623	If you click Finish, then another button in wizard, browser fails.
CSCdy46311	Deploy transcript unavailable for deploy-to-file or deploy-to-AUS.
CSCdy53474	CW2K Srvr Sysadmin cant open activity, modify settings, etc.
CSCdy55411	Error msg. for lock problem doesn't identify the other activity.
CSCdy59867	Undo activ w/ Easy VPN Remote changes deletes 2ndary VPN IP Addr.
CSCdy61931	PIX OS version page has neither radio button selected.
CSCdy70967	Concurrent import tasks in a single activity might fail.
CSCdy82498	Access rules for a new group do not show up in activity report.
CSCdy88313	Activity stays in ReverseGen if tomcat crashes and is restarted.
CSCdz01730	Gzip wrapper code fails to compress a large amount of data.
CSCdz27219	No support available for modifying Beginning/Ending cmds 2x.
CSCdz43169	Srvc nms not recognized by Conduits&Outbound List Conversion Tool.
CSCdz49100	Interface name change is not detected during deployment.
CSCdz62005	Static command problem with interface name same as named ip.
CSCdz69036	Unique Identity will not accept Inside Address setting.
CSCdz71488	aaa ... LOCAL command needs to be modeled.
CSCea03318	Object selector should not redisplay once object is selected.

Known Problems

This section contains the following problems known to exist in this release:

• Activity Management Known Problems, Table2

• Authentication Known Problems, Table3

• Conduits and Outbound List Conversion Tool Known Problems,
Table4

• Configuration Known Problems, Table5

• Database Known Problems, Table6

• Deployment Known Problems, Table7

• Documentation Known Problems, Table8

• General Known Problems, Table9

• GUI Known Problems, Table10

• Import Known Problems, Table11

• Installation Known Problems, Table12

• PIXMC Server Known Problems, Table13

• Known Problems with CiscoWorks Common Services that Impact PIXMC, Table14

Note To obtain more information about known problems, access the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)

Table 2 Activity Management Known Problems
Bug ID	Summary	Additional Information
CSCea25218	Device Agent Framework crashes after activity submit or approval	The Device Agent Framework can unexpectedly crash when processing an activity. When you later try to use PIXMC, you receive the following message: `The application you are attempting to access has dependency holds in place!` Another message appears at the bottom of the page: `The held services and their messages are listed below: Service Identifier: daframework Current message: Device Agent Framework is not operational. There appears to be a problem as DAF should not be down by itself. If this persists you may want to try restarting the CW2000 Daemon Manager service, and if that fails, contact customer service.` This information means that the CiscoWorks2000 Device Agent Framework process has stopped. To work around this problem, restart the CiscoWorks2000 Daemon Manager. The activity that was in progress should be shown as submitted or approved. If the activity is submitted but Require Activity Approval is turned off, follow these steps: 1. Select Admin>Workflow Setup , and then select Require Activity Approval . 2. Select Workflow>Activity Management , and then reject the activity. 3. Submit the activity. 4. Approve the activity. 5. Select Admin>Workflow Setup , and then deselect Require Activity Approval .
CSCdy04737 or CSCdy22303	When approval is disabled, submit privileges are required for using the Approve button.	When approval is disabled, the button for completing (submitting) an activity or job is labeled Approve and there is no Submit button. However, you must have submittal privileges, not approval privileges, to click the Approve button in this case. To work around this problem, submit privileges must be assigned to users required to use the Approve button.
CSCdy19285	Activity Management page should show error message if command generation fails.	When you submit an activity (or approve an activity if the required approval is disabled), new configurations are generated for the affected devices. After a successful generation, the activity enters the submitted state (or approved if required approval is disabled). If an error occurs during configuration generation, the activity will not be submitted (or approved) and the description for the activity is `finish generating configuration`. You are not told of the error. To work around this problem, select the activity from the Activity Management page and click Status . A popup window displays the generation status for each device. You can review any errors from this page.
CSCdz40419	Different user discarding an activity might cause problems.	When a second user discards an activity while a first user is editing it, the first user might have a problem when creating another new activity. To work around this problem, if, after creating the new activity, the activity bar reads "none", go to the Activity Management page. Close and then reopen this new activity.
CSCdz66789	System may fail if database maintenance occurs during product use.	If you compact or restore the database while another user is performing an operation with PIXMC, the user performing the operation might receive a null pointer exception. To work around this problem, restart the CW2000 Daemon Manager and repeat the operation again after the database compact or restore is complete.

Table 3 Authentication Known Problems
Bug ID	Summary	Additional Information
CSCdy40186	Users with help desk role cannot view activity report.	If you have view-only permission, you cannot view the activity report. This is because all radio buttons and check boxes are disabled for users who have view-only permission. To work around this problem, log in under a different role with more privileges, or give additional permissions to users who require activity report access.
CSCdy54466	The Approve button might not be active after an activity is submitted for approval.	Activities might remain in the Generate_Open state if you log out immediately after submitting the activity. To work around this problem, if an activity remains in the Generate_Open state, select the activity from the Activity Management page and click Cancel . When the activity returns to the Edit state, resubmit it.

Table 4 Conduits and Outbound List Conversion Tool Known Problems
Bug ID	Summary	Additional Information
CSCdy66856	Conduits and Outbound List Conversion Tool gives confusing error message on NAT 0 access list.	If you run the Conduits and Outbound List Conversion Tool on a configuration file that contains a NAT 0 access-list command, the following error message appears: `invalid name 'access-list'`. This error message should state that PIXMC does not support the NAT 0 access-list command. To work around this problem, remove the NAT 0 access-list command from the configuration file.
CSCdz59416	Conduits and Outbound List Conversion Tool does not ignore unsupported commands.	The Conduits and Outbound List Conversion Tool does not understand some CLI commands and gives an error message when it receives these commands. To work around this problem, remove the unsupported commands, run the Conduits and Outbound List Conversion Tool, then add the unsupported commands back to the output of the tool.

Table 5 Configuration Known Problems
Bug ID	Summary	Additional Information
CSCea01936	Implementation of IDS Policy default attack and information actions have no effect.	In the PIXMC implementation of IDS Policy, the default attack and information action settings are meaningless. The default settings are never used. To work around this problem, select an action on a specific interface.

Table 6 Database Known Problems
Bug ID	Summary	Additional Information
CSCdy77377	PIXMC database fails when disk space or virtual memory is low.	When the PIXMC database (fms.exe process) runs out of virtual memory or disk space, it shuts down and logs an error message in the Windows Event Viewer. To detect this problem, check the Windows Event Viewer to learn whether the fms.exe process shuts down due to running out of disk space or virtual memory is low. To work around this problem, shut down the daemon manager while you free up the appropriate resources, and then restart the daemon manager.
CSCea10128	Database locks during checkpoint.	Under unusual circumstances, the PIXMC database (fms.exe) might consume all of the CPU performing a checkpoint. To work around this problem if the fms.exe process continues to monopolize system resources for more than 10 minutes, reboot the machine to get fms.exe out of the deadlocked situation.

Table 7 Deployment Known Problems
Bug ID	Summary	Additional Information
CSCdy29184	A misleading error is generated when you deploy to AUS if the PIXMC user account for AUS does not have correct privileges.	If the AUS (Auto Update Server) user account on PIXMC does not have the API_View or API_Write privilege required to deploy to the AUS server, an error stating `STATUS_FAILED authentication failed!` appears when you deploy to AUS.
CSCdz39446	You cannot view transcript when deployment fails.	If deployment fails before PIXMC can send any commands to the device, you cannot get a deployment transcript. This failure might occur due to an invalid device contact IP address, an incorrect password, or something similar. To work around this problem, identify its cause by looking at the error message text in the deployment task status page, fix the error, and then redeploy.
CSCdz64763 or CSCdy72146	Deployment, import, or generate operations remain in waiting state.	During the deployment of devices, the status might change to `STATUS_WAITING` and stay at that state indefinitely. To work around this problem, restart the CW2000 Daemon Manager service. This should cause the deployment to resume and finish.
CSCea02913	global [ (if_name) ] number interface not removed during deployment.	PIXMC allows only a single global pool for each interface to use the keyword interface . When a second global pool on a given interface attempts to use the keyword interface , PIXMC produces a message that simply displays the syntax of the global command. PIXMC will not detect that two pools on the same interface are using the keyword interface . During deployment, PIXMC will blindly send the global command that will attempt to create the second pool and receive the PIXMC error message. To work around this aspect of the problem, you must ensure that multiple pools on a given interface do not use the keyword interface .
CSCea02913 (continued)	global [(if_name)] number interface not removed during deployment. (continued)	In other instances, a more subtle problem can occur. Suppose that an interface pool exists that is using the keyword interface but that pool itself is no longer going to be used. A second pool on the same interface is planning to use the keyword interface . The correct PIXMC behavior would be to make sure the unwanted pool is removed by PIXMC before it creates the new pool. Since PIXMC does not enforce the restriction that only a single interface pool can use the keyword interface , it also fails to ensure that the old pool is removed before the new one is created. Whether that pool is removed before or after the new pool is created is done randomly. To work around this aspect of the problem, do any of the following: •Remove the old pool in one deployment and add the new pool in a second deployment. •Remove the command directly from the device before deployment. •Insert a command temporarily to negate this command in the Beginning Commands file in the following form: no global [( interface_name)] number interface but remember to remove it subsequent to the deployment. •Perform device deployment using AUS.
CSCea02968	Deployment error should not default to rebooting the PIX.	The default, installed behavior for PIXMC is that if an error is detected during deployment, PIXMC stops deploying and reloads the firewall device. Reloading the firewall device is the only way to safely reset the configuration to what it was before deployment. To work around this problem, customers who do not want to allow their firewall device to reload must change the default behavior: 1. Select Configuration>Settings>PIXMC Controls>Management . 2. Click the radio button for the On Deployment Error setting that corresponds with the deployment behavior you want. The options are: •Restore previous config (reboot). •Continue. •Stop (device left partially reconfigured.) Note The On Deployment Error setting can be applied at the device, group, or global level. 3. Click Apply .
CSCea06615	Problems might occur if multiple users deploy jobs concurrently.	When multiple users deploy a number of devices each, PIXMC could stop working and the daemon manager would need to be restarted. If deployed jobs are cancelled after the system restarts, this could cause the system to fail again. To work around this problem, restart CW2000 Daemon Manager, but do nothing to the affected job. Retry the deployment by creating a new job.
CSCea14915	Deploy fails if number of interfaces in GUI and device differ.	Sometimes the number of interfaces or their respective hardware_id's defined in the GUI does not match those on the physical device. An example of this would be if you were to define only ethernet0 and ethernet1 in the GUI, when the device also contains ethernet2. During deployment, PIXMC would attempt to remove all configuration settings for the undefined interface such as its IP address, which causes deployment errors and possibly failure, depending on the meta settings you established regarding error handling. To work around this problem, make sure your configuration of hardware interfaces matches those which are on the device. This includes the number of interfaces and their hardware_id's.
CSCea17787	AAA match statements mishandled during deploy to device	Deploying a AAA match statement might result in a deployment error if the ACL used in the match statement is not valid for AAA. For example, if the ACL used in a AAA accounting match command is `permit ip any any`, the deployment might result in an error state. The reason is that `ip any any` includes ICMP, which can not be accounted for. To work around this problem, make sure the ACL used in AAA match statements is of the appropriate type.
CSCea24619	Rebooting in a (LAN) failover network can cause configuration inconsistencies.	In a LAN-based failover environment, commands that are deployed to the active unit are immediately synchronized to the standby unit. The PIXMC default behavior is to reboot the active unit when an error condition occurs during a configuration deployment. Rebooting the active unit causes the standby to take over, but the standby unit might contain an inconsistent or incomplete configuration. When the standby unit assumes the active mode, it synchronizes its configuration to the new standby unit (previously the active unit). The synchronized commands are only in the running configuration because a write memory command was not issued. To work around this problem: 1. Select Configuration>Settings>PIXMC Controls>Management . 2. Under the On Deployment Error setting, click the Continue radio button.
CSCea22252	Remove dhcpd ip address <pool-range> treated as error during deploy.	Removing a dhcpd command configuration from a firewall device during configuration deployment results in the command no ip address <pool-range> inside being sent to the device. The device responds with `Received:DHCPD disabled on inside interface because address pool is removed`, which PIXMC interprets as an error. If you set the default On Deployment Error behavior to Restore previous config (reboot), PIXMC will reboot the device when it receives this message. Note With PIX OS 6.2(2), dhcpd commands are not synchronized from the active to the standby unit in a LAN-based failover network environment. To work around this problem: 1. Select Configuration>Settings>PIXMC Controls>Management . 2. Under the On Deployment Error setting, select the Continue radio button.
CSCea22086	Placing an apostrophe in activity name caused problem in add job	When you create a job, if any of the devices selected for deployment have been modified using an activity with an apostrophe in the name, the Review Devices page will be blank and not list the devices. You can still create the job and deploy it, but when the job is deployed, the pop-up status screen will be completely empty because of javascript errors. Although the status screen is non-functional, the deploy will still proceed as normal. To work around this problem, do not type an apostrophe in an activity name. If you inadvertently do so, you can proceed to deploy, but you will have trouble getting details in the blank status window. To view the details of a blank status window, follow these steps: 1. To view the HTML source for the page, right-click on the status page and then select View Source from the page's right-click menu. 2. From the HTML source window, search for the word "STATUS" to get some information about the individual devices.

Table 8 Documentation Known Problems
Bug ID	Summary	Additional Information
CSCdx18147 See also CSCdy01919	PIXMC forces you to enter an enable password for each device.	PIXMC requires an enable password that contains at least one character (this field cannot be left empty), even though PIXFirewall does not. Although the tool will import a configuration from a PIXFirewall that has an empty enable password, you must supply an enable password before completing the activity in which the import is performed. Requiring an enable password enhances enterprise security.

Table 9 General Known Problems
Bug ID	Summary	Additional Information
CSCdz59302	Global settings cause problems for devices with no outside interface.	Default setting populations assume that an outside interface is present. If you rename the outside interface, the configuration generation will fail when it generates the anti-spoofing command. To work around this problem, follow these steps: 1. Override the Anti-Spoofing panel at the device level. 2. Deselect the Outside interface. 3. Select the new name for the outside interface. 4. Select Apply .
CSCdz59302

Table 10 GUI Known Problems
Bug ID	Summary	Additional Information
CSCdv77516	PIXMC supports only a single browser page.	PIXMC supports only a single browser page. However, Internet Explorer does not prevent you from creating multiple browser pages. If you use multiple pages on one client computer to contact the same PIXMC server, the results are unpredictable. To work around this problem, use only a single browser page to contact the PIXMC server on each client.
CSCdw37546 or CSCdx05082See also CSCdy59541	If you do not click Apply before you leave a GUI page, your changes are not saved.	You lose edits in a settings page if you click a navigation link before clicking Apply . No warning is displayed before this loss occurs. To work around this problem, you should always click Apply .
CSCdx47739	Job workflow does not prevent multiple jobs from deploying configurations to the same device.	PIXMC does not prevent you from putting the same device in more than one job. This could lead to a deployment error if more than one job tries to deploy to the same device at the same time. Also, you could inadvertently deploy an older approved configuration over a newer one, depending on the order in which the pending jobs are deployed. To work around this problem, avoid adding devices that are part of a pending job when you create new jobs.
CSCdx95909	Using browser's Back button after clicking Finish in a wizard causes problems.	If you click Finish on a wizard and then navigate back to a page in the wizard using the browser back function, clicking Finish again could cause an error or strange navigation. To work around this problem, never use the back function of the browser in a PIXMC page.
CSCdy01919 See also CSCdx18147	PIXMC unable to import from devices with blank enable passwords.	When importing from a device, you must enter a non-empty enable password in the PIXMC import wizard. This prevents you from importing from devices with empty enable passwords. To work around this problem, write the device configuration to a file and then import it from a file or set a non-empty enable password in the device.
CSCdy05391	Device names shown in GUI might change during imports.	When you import from a file, the device name used in the Import Status page is the same as the filename from which the configuration is imported. However, the Submit/Approve wizard, the Generate Status page (the one that appears after you click Finish in the Submit/Approve wizard or after you click Status in the Activity Management for the Generate_Open/Submitted/Approved activity) and the Object Selector use the hostname in the configuration as the device name, if one is present. (If the hostname is missing, the filename is used.) To work around this problem, make sure that the filename for each configuration matches the hostname specified in the configuration file.
CSCdy25929	GUI allows incorrect PAT specifications yielding incorrect device configurations.	The global address pool that is used for a dynamic PAT can be specified as a single IP address or an interface on the PIXFirewall. When you add a global address pool for a dynamic PAT, the Enter Pool Element page contains the Use interface address for closing PAT check box, which enables the use of the PIXMC interface as the global address pool. This page also contains the Address Range(s)/Mask(Optional) field, which to allows you to enter the single IP address for the global address pool for PAT. If you select the check box and specify an address range, PIXMC generates two global address pools with identical global address pool IDs. The result is a bad configuration that fails during deployment. To work around this problem, when you specify PAT, either select the Use interface address for closing the PAT check box or enter an IP address in the Address Range(s)/Mask(Optional) text field, but do not do both.
CSCdy35048	Import of a configuration file containing special characters hangs.	If you try to import a configuration file that contains illegal characters, for example, ctrl-C, the import hangs and the status for each device being imported remains in the `STATUS_INITIALIZING` state. The overall task status remains at `STATUS_UNKNOWN`. To work around this problem, make sure configuration files contain only legal characters. If an import does hang due to illegal characters in a configuration file, cancel the import, correct the problem, and try the import again.
CSCdy50342	Deleting a device before deployment causes an error.	If you delete a device that is in a pending job, when you deploy the job you will receive the following error message: `You have encountered an ERROR!` To work around this problem, follow these steps: 1. Close the PIXMC GUI and start PIXMC from the CiscoWorks2000 (CW2K) Server desktop again. 2. Go to the Job Management page. The job containing the deleted device will be shown as deploying. 3. Select the job and click Status to show the names of the deleted devices that should appear "deleted" to confirm that the problem was because of a deleted device. 4. Create a new job to deploy to the devices that were not deleted.
CSCdy59201	Inherit settings from: lists wrong group name when not inheriting.	Whenever you do not select the Inherit settings from a check box, the text reads `Inherit setting from: Global,` instead of specifying the group from which the information would be inherited where this item selected. This is only a display problem. If you select the Inherit check box, PIXMC inherits correctly and the updated page shows the group from which you are inheriting. To work around this problem, use the object selector or the quick links next to SCOPE to walk up the group hierarchy towards Global to find out from where the setting is inherited. The closest ancestor that has its own settings (not inheriting) is the one from which the setting would be inherited.
CSCdy59541 See also CSCdw37546 or CSCdx05082	Various settings pages require clicking Apply before clicking Insert , Edit , or Delete .	The following Settings pages have both a dialog portion with Apply and Reset buttons, and a table portion with Insert, Edit, and Delete buttons: •Failover •Telnet •Secure Shell •SNMP •Syslog •URL Filter Server If you make changes in the dialog portion of the page and then click an action button in the table portion, your edits are not saved. To work around this problem, click Apply after editing the dialog portion of the page and before clicking any of the action buttons in the table portion.
CSCdz44380	Abbreviated interface names cause problems.	PIXMC parses the hardware or VLAN ID entries distinctly during command generation. Conversely, the firewall will parse these commands identically when entered into the CLI. For example eth1 , ether1 , and ethernet1 should all translate the same, but they will get parsed as distinct commands when entered into the Interface panel. To work around this problem, avoid using abbreviations in the Interface panel.
CSCdz54923	Importing while another import is in process will cause problems.	If you import before a previous import is completed within the same activity, you will not get an error message preventing you from doing this. As a result, the tomcat server might crash or the second import fails. To work around this problem, make sure only one import going on in an activity at any time.
CSCdz65349	Incorrect password reset results in no password change.	On the Easy VPN Remote page, when the new and confirming passwords are mismatched (entered differently), no password changes occurs. If you try to change your password and enter mismatched passwords, PIXMC will issue an error message, but if you do not fix the problem and click Apply for other changes on the page, no password change will take effect. To work around the problem, reenter the passwords.
CSCea05761	Adding a space after a Failover IP address causes an error.	PIXMC produces an error message if the Failover IP address has an extra space after it. To work around this problem, make sure you do not add additional spaces when you enter the Failover IP address.
CSCea06629	Internet Explorer might crash during an operation.	In some instances, Internet Explorer might crash while performing an operation in PIXMC. To work around this problem, close all browsers, open a new browser, log into the desktop and launch PIXMC again to retry the operation.
CSCea12091	Direct authentication fails due to password length.	When you use the direct login API, through either an emailed link to a report or through a bookmark to the direct URL, authentication fails if your password has a number of characters that is a multiple of 4. To work around this problem, change your password to a number of characters that is not a multiple of 4.
CSCea20069	Not specifying mask in HTTPS causes http 0.0.0.0 0.0.0.0 <intf>	If you do not enter a mask when you add the interface or address for addresses with HTTPS access to a firewall device, the command http 0.0.0.0 0.0.0.0 <interface> is generated. This allows any host connected to that interface to access the device via HTTP. No error message will be displayed, but you will see the warning `***Caveat Warning: Cannot find setting:Reading PdmHttpIpMask` when you generate a configuration for the device. To work around this problem, specify an IP mask when entering interface/address information.
CSCea22527	Toggling Use-Local and not reentering vpdn pwd sends * to device	When you edit the PPPoE information for an interface, if you do not reenter the vpdn password after enabling and then disabling the Use Local feature, PIXMC will try to set the password to a string of asterisks (*****). This results in an error on the firewall device. To work around this problem, always reenter the vpdn password after clearing the Use Local checkbox for an interface.
CSCea28641	Invalid option when selecting FWSM OS version.	From the Configure > Settings > Firewall OS Version page, FWSM 1.1(3) is listed as a valid OS version. However, FWSM 1.1.(3) is not valid OS and should not be selected. No workaround is available
CSCin33388	Applet for access rules doesn't load after enabling SSL for CW2K desktop	If you enable SSL for the CiscoWorks2000 Server desktop, the PIXMC server must be synchronized with the CiscoWorks2000 Server so that they use the same certificate. Using a different certificate causes an error while the access rules applet is loading. The symptoms of this error are that the applet fails to load, the message `Loading Java Applet` appears, and the screen freezes. To work around this problem, direct the PIXMC server to use the CiscoWorks2000 Server certificate. For details, see "Changing the SSL Certificate", Section 3-18 in Using Common Services or the following excerpt.
CSCin33388 (continued)	Applet for access rules doesn't load after enabling SSL for CW2K desktop (continued)	To change the SSL certificate used by CiscoWorks Common Services, follow these steps: 1. Select VPN/Security Management Solution > Administration > Configuration > Certificate from the navigation tree. The Certificate Configuration page appears. The certificate that is used by CiscoWorks Common Services to secure the SSL connection is selected. 2. To change the selection, click the desired certificate. 3. Click Finish. 4. Click OK. 5. Shut down and restart CiscoWorks Common Services. This restarts your session using the selected certificate. If the browser still does not load the applet, you must resynchronize the JRE with the desktop. Do the following: 1. Select Settings > Control Panel > Add/Remove Programs. 2. Select the JRE and remove it. 3. In the browser, enter the URL for the CiscoWorks2000 Server. You are prompted to install JRE. 4. Reinstall the JRE. The browser JRE and server JRE are synchronized.

Table 11 Import Known Problems
Bug ID	Summary	Additional Information
CSCdz77952	`PIX MC does not check for miss- ing URL server on import.`	PIXMC does not check to see if a URL server is present when a filter URL is configured. To work around this problem, make sure you specify the URL server in the import configuration file if it enables URL filtering.
CSCdy71451	Canceled imports create incorrect device settings.	You cannot cancel an import if the import status page displays `STATUS_INITIALIZING`. In addition, if the device status is `STATUS_WORKING` or `STATUS_WAITING` and you cancel the import, the devices that were not imported before the cancellation retain their default settings. To work around this problem, wait for the device status to show `STATUS_WORKING` or `STATUS_WAITING` before canceling an import. After you cancel the import, delete the devices showing `STATUS_CANCELLED`. You can delete the devices that were imported successfully if you plan to import the devices again. Alternatively, if no changes other than the imports have been made in this activity, undo the activity and start over with a new activity.
CSCea16773	Device import of a CSV file formatted for interfaces causes errors.	Importing from a CSV file that is not of the right format might cause a null pointer exception. To work around this problem, do one of the following: •Click your browser's Back button •Close the browser and reopen PIXMC.
CSCdz43238	Cannot import from devices with AAA authentication.	Single direct device import does not work for a device set up to authenticate to a AAA server. To work around this problem, create a CSV file that contains one line of information for the device, including the AAA information, choose to import multiple firewall configurations from a CSV file, and enter the CSV file you created. For example, the file you create to contact a device at address 192.168.1.1 with user name "myname" and password "mypass" would look like: `192.168.1.1,,,,,,,,,,,myname,mypass,,,,,,`

Table 12 Installation Known Problems
Bug ID	Summary	Additional Information
CSCea07795	Installer may falsely report that there is not enough disk space to install PIXMC.	You need 18.68 MB of disk drive space to extract PIXMC installation files or you will receive an error message indicating there is not enough hard drive space. To work around this problem, retry or unzip the PIXMC archive into a temporary folder and run setup.exe.
CSCea26266	File copy window should not have cancel button	Clicking Cancel during the file copy portion of the PIXMC installation corrupts the installation. This is not a problem when you perform a clean install because PIXMC 1.1 reinstalls over a incomplete previous installation with no difficulties. However, if you are upgrading from a previous release to release 1.1, you might be unable to use the previous version of PIXMC without uninstalling and reinstalling Common Services and CiscoWorks2000. To work around this problem, back up your database before performing an upgrade.

Table 13 PIX MC Server Known Problems
Bug ID	Summary	Additional Information
CSCdw45096	Device Contact Info and AUS Contact settings are not retained as part of a job.	When you create a job, the PIX Device Contact Info and AUS Contact settings for each device in the job are not stored as a part of the job. When you deploy the job, the current values for these settings are used to deploy to a device, or to AUS. This means that changes made to these settings after a job is created will affect how a job operates when it is deployed. To work around this problem, deploy existing jobs before changing the PIX Device Contact Info and AUS Contact settings for any device in any undeployed jobs.
CSCdx11318	Modifying routes might disconnect communication with PIXFirewalls.	Before PIXMC can manage any PIXFirewall, you must bootstrap the device with the right routes and http settings so that PIXMC can communicate with it. Any changes in PIXMC to the routes that affect connectivity between PIXMC and the device could cause a deployment to the device to fail. To work around this problem, correct the routes in PIXMC and redo the boostrapping process on the PIXFirewall if you are disconnected.
CSCdy54803	Changing an interface name causes generate and deployment errors.	When generating a configuration, some settings refer to interface names and will cause generation errors after the interface is renamed. These settings have to be changed to refer to the new name as well. These settings refer to interfaces and must be changed to use the new name: • Failover • Static Routes • RIP • Proxy Arp • HTTPS (SSL) • Telnet • Secure Shell • SNMP • ICMP Interface Rules • Syslog • URL Filter Server • TFTP Server • IDS Policy • Anti-spoofing • Fragment
CSCdy54803 (continued)	Changing an interface name causes generate and deployment errors. (continued)	When PIXMC deploys to a device, it might need to negate commands. Some of those commands could refer to an interface by that interface's name. An example is the route command, whose form is route if_name ip_address netmask gateway_ip [metric], where if_name is the name of the interface. If the interface name changes, these negated commands will use the interface's old name instead of the new name, which will cause deployment errors. To work around this problem, do not change an interface name and other aspects of a device within a single deployment. For example, change the interface name, deploy that change, and then make further changes as needed.
CSCdy70897	Settings might be duplicated after a crash during an import.	If the database crashes while PIXMC is performing an import, the import resumes automatically when PIXMC restarts. Those device imports that were not completed before the crash will be reinitiated. If information about a device from the initial import was committed before the crash, the task will be performed a second time, and the second import will add the information to the device without removing the old information. Consequently, there might be duplicate table entries for fixups, translation rules, access rules, and others. When you generate a configuration, warnings and errors about the duplicate items will be generated. To work around this problem, delete devices with duplicate information and reimport them.
CSCdy82136	Job Status/View Config pages are not checked for privileges.	If you use PIXMC with Cisco Secure ACS, and use the ACS Network Device Groups feature to assign permissions to a device or group, PIXMC does not check permissions for the View Config and View Transcript functions in the Job Status popup window. However, the permissions are correct in the Configuration pages. When the device is deployed, unauthorized users can see the status of the job that deployed the device, can access the configuration with the View Config function, or see the transcript with View Transcript. There is no workaround.
CSCdy87634	Access Rules might reference deleted network objects.	If you delete a network object that is being used in an access rule, you are left with an unresolved reference in the access rule. To work around this problem, edit the access rule so that it no longer references the obsolete network object.
CSCdz34603	Serial parameter for aaa commands should be removed.	PIXMC generates the aaa authentication serial console group_tag command for FWSM if such an entry is configured in the GUI. This generated command will cause your deployment to fail if the meta setting is not set to Continue with deployment errors . To work around this problem, either unconfigure this aaa authentication serial entry in the GUI, or change the meta setting to allow the deployment to continue with errors.
CSCdz34667	ospf sometimes generate errors in Ending Commands.	ospf commands for FWSM are supported by pushing them into the Ending Commands (epilog) file after device import. However, since some commands cannot be sent twice to the device and Ending Commands treats these as verbatim commands and so does not recognize the nature of each command, all Ending Commands will be sent to the device and those that can't be repeated will cause deployment errors. In addition, some ospf commands return a message during deployment that PIXMC does not recognize and treats as an error. To work around this problem, set the meta setting to allow deployment to continue with errors, or remove the offending commands from the Ending Commands file if they are on the device already.
CSCdz64177	Client might be slow when connecting to a PIXMC server remotely.	Remote access might be slow when connecting to a PIXMC server without the appropriate DNS entry (Address and Pointer Records). To work around this problem, verify that a DNS entry has been created.
CSCdz76099	Need Ending Commands file support for the access-list (ospf ) cmd.	FWSM has added a new type of access list commands (ACLs) for ospf commands. These new ACLs are not supported by this version of PIXMC and are not easily distinguishable from normal ACLs. For these reasons, if they are encountered, they create parsing errors, prevent you from importing configurations from devices or files, and cause deployment errors. The ideal workaround for this problem is to avoid using the new ACLs. If you must use them, do not deploy directly to device. Instead, import a configuration without the new commands, then modify the Ending Commands file and deploy to file.
CSCea11802	The command no rip parses incorrectly.	Some versions of CSPM generate this command before optimizing deployment. Therefore, if you manually export the Command tab settings from CSPM and try to import them into PIXMC, you might have this problem. The command is interpreted as a positive rip command, which enables rip instead of disabling an existing command. The negated form of the rip command parses correctly although the system might report an error. The command will be processed as a positive rip command. To work around this problem, remove the no rip commands from the file before importing.

Table 14 Known Problems with CiscoWorks Common Services that Impact PIX MC
Bug ID	Summary	Additional Information
CSCdx36716	User is not notified of failure when shutting down during restore.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCdx38044	Restore freezes during management/monitoring center command generation.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCdx74308	Services do not start after reboot during installation.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCdy00311	Letting a session time out can fill event log with crmtftp messages.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCdy02949	Difficulty browsing CiscoWorks2000 desktop from server machine.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCdy06590	Restoring during scheduled backup requires reboot.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCdy25551	MDCSupport utility does not erase its temporary directory.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCdy26688	Cannot launch CW2K desktop after Common Services installed on system with netForensics.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCdy28951	Licensing error when SQL service is not started	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCdy31988	Sybase service problem on Win2K server with Terminal Services on.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCin11975	Changing the Windows password causes service startup to fail.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.
CSCin14028	CiscoWorks links do not work due to change in server IP address.	For details, see http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco web sites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:

http://www.cisco.com/go/subscription

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

•Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number DOC-CONDOCCD=) through the online Subscription Store:

http://www.cisco.com/go/subscription

•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408526-7208 or, elsewhere in North America, by calling 800553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can email your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.

Cisco.com

Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com provides a broad range of features and services to help you with these tasks:

•Streamline business processes and improve productivity

•Resolve technical issues with online support

•Download and test software packages

•Order Cisco learning materials and merchandise

•Register for online skill assessment, training, and certification programs

To obtain customized information and service, you can self-register on Cisco.com at this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.

We categorize Cisco TAC inquiries according to urgency:

•Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

•Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

•Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

•Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://tools.cisco.com/RPF/register/register.do

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

http://www.cisco.com/en/US/support/index.html

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

•The Cisco Product Catalog describes the networking products offered by CiscoSystems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

•Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

•Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking. You can access Packet magazine at this URL:

http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html

•iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL:

http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html

•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

•Training—Cisco offers world-class networking training, with current offerings in network training listed at this URL:

http://www.cisco.com/en/US/learning/index.html

This document is to be used in conjunction with the documents listed in the "PIX MC 1.1 Documentation" section.

Table Of Contents